Security Handshake Pitfalls

Similar documents
Security Handshake Pitfalls

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CSC 474/574 Information Systems Security

Authentication Handshakes

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Security Handshake Pitfalls

Security Handshake Pitfalls

6. Security Handshake Pitfalls Contents

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Password. authentication through passwords

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Authentication Protocols. Outline. Who Is Authenticated?

Session key establishment protocols

Session key establishment protocols

Cryptographic Protocols 1

HOST Authentication Overview ECE 525

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

User Authentication. Modified By: Dr. Ramzi Saifan

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Real-time protocol. Chapter 16: Real-Time Communication Security

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Cryptographic Checksums

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

User Authentication. Modified By: Dr. Ramzi Saifan

CS 494/594 Computer and Network Security

User Authentication Protocols

Strong Password Protocols

Trusted Intermediaries

AIT 682: Network and Systems Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Key Establishment and Authentication Protocols EECE 412

Data Security and Privacy. Topic 14: Authentication and Key Establishment

UNIT - IV Cryptographic Hash Function 31.1

Cryptography and Network Security

User Authentication Protocols Week 7

Lecture 1: Course Introduction

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Unit-VI. User Authentication Mechanisms.

(2½ hours) Total Marks: 75

CS November 2018

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Security: Focus of Control. Authentication

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC/ECE 774 Advanced Network Security

Identification Schemes

1 Identification protocols

Network Security Chapter 8

CIS 6930/4930 Computer and Network Security. Final exam review

Computer Security 4/12/19

Network Security (NetSec)

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Message authentication

Lecture 19: cryptographic algorithms

Security: Focus of Control

Authentication in Distributed Systems

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

Lecture 15: Cryptographic algorithms

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CSC 774 Network Security

Lecture 9. Authentication & Key Distribution

Kurose & Ross, Chapters (5 th ed.)

CPSC 467b: Cryptography and Computer Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CSC 482/582: Computer Security. Security Protocols

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

Computer Networks. Wenzhong Li. Nanjing University

Information Security CS 526

CS 161 Computer Security

CSCE 813 Internet Security Kerberos

Spring 2010: CS419 Computer Security

Securing Internet Communication: TLS

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

5. Authentication Contents

Elements of Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CS Protocol Design. Prof. Clarkson Spring 2017

AIT 682: Network and Systems Security

A Two-Fold Authentication Mechanism for Network Security

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Transcription:

Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1

Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response Symmetric key Public key 2

Symmetric Key Challenge-Response An example protocol: I m a challenge R F(K AB,R) Authentication not mutual (login only) Subject to connection hijacking (login only) Subject to off-line password guessing (if K is derived from password) s database has keys in the clear 3

Symmetric Key Challenge-Response An alternative protocol: I m K AB {R} R Requires reversible cryptography Subject to dictionary attack, without eavesdropping, if R is recognizable Can be used for mutual authentication if R is recognizable and has limited lifetime 4

Symmetric Key Challenge-Response A one-message protocol: I m, K AB {timestamp} Easy integration into password-sending systems More efficient: Single message, stateless Care needed against replays: timeout needed Care needed if key is common across servers Clock has to be protected as well Alternatively, with a hash function, send, I m, timestamp, H(K AB,timestamp) 5

Public Key Challenge-Response By signature: I m R [R] A 6

Public Key Challenge-Response By decryption: I m {R} A R Problem: (or Trudy) can get to sign/decrypt any text he chooses. Solutions: Never use the same key for different purposes (e.g., for login and signature) Use formatted challenges 7

Mutual Authentication An example protocol: I m R 1 F(K AB,R 1 ) R 2 F(K AB,R 2 ) 8

Mutual Authentication with Few Messages Number of messages for mutual authentication can be reduced: I m, R 2 R 1, F(K AB,R 2 ) F(K AB,R 1 ) However, this protocol is vulnerable to Reflection attack Dictionary attack :Trudy can do dictionary attack against K AB acting as, without eavesdropping. 9

Reflection Attack: Original session: I m, R 2 Trudy R 1, F(K AB,R 2 ) F(K AB,R 1 ) Decoy session: I m, R 1 Trudy R 3, F(K AB,R 1 ) 10

Results from Reflection Attack Solutions: Different keys for and Formatted challenges, different for and Principle: Initiator should be the first to prove its identity 11

A Modified Mutual Authentication Scheme Solution against both problems: I m R 1 F(K AB,R 1 ), R 2 F(K AB,R 2 ) Dictionary attack is still possible if Trudy can impersonate. 12

Mutual Authentication with Public Keys I m, {R 2 } B R 2, {R 1 } A R 1 Problem: How can the public/private keys be remembered by ordinary users? Possibly, they can be retrieved from a server with password based authentication & encryption. 13

Session Key Establishment A session key is needed for integrity protection and encryption in a communication session. It must be different for each session unguessable by an eavesdropper not K AB {x} for some x predictable/extractable by an attacker Session keys can be established by using Symmetric encryption Public key encryption 14

Session Key Establishment with Symmetric Encryption I m R K AB {R} Do not use K AB {R} or K AB {R+1} Take (K AB +1){R} as the session key. I m R+1 K AB {R+1} 15

Session Key Establishment with Public Key Cryptosystem An alternative is to use Diffie-Helman key exchange algorithm. Another alternative with PKC, send additional random nonces {R} A, {R} B and use them to derive a session key. {R 1 } B {R 2 } A K R 1 R 2 = K = R 1 R2 16

Key Establishment and Authentication with KDC A simple protocol:, K A {, K AB } KDC K B {, K AB } Problem: Potential delayed key delivery to. (besides others) 17

Key Establishment and Authentication with KDC Another simple protocol:, K A {, K AB }, ticket B where ticket B = K B {, K AB } KDC, ticket B Problems: No freshness guarantee for K AB & need to authenticate 18

Nonces Nonce: Something created for one particular occasion Nonce types: Random numbers Timestamps Sequence numbers Random nonces needed for unpredictability Obtaining random nonces from timestamps: encryption with a secret key. 19

Needham-Schroeder Protocol N 1,, K A {N 1,, K AB, ticket B } where ticket B = K B {K AB, } KDC ticket B, K AB {N 2 } K AB {N 2-1, N 3 } K AB {N 3-1} 20

Needham-Schroeder Protocol Ticket is double-encrypted. (unnecessary) N 1 : for authenticating KDC & freshness of K AB. N 2, N 3 : for key confirmation, mutual authentication Why are the challenges N 2, N 3 encrypted? Problem: doesn t have freshness guarantee for K AB (i.e., can t detect replays). 21

Replaying Tickets Messages should be integrity protected. Otherwise, cutand-paste reflection attacks possible: replay ticket B, K AB {N 2 } Trudy K AB {N 2-1, N 3 } K AB {N 3-1} ticket B, K AB {N 3 } Trudy K AB {N 3-1, N 4 } 22

Expanded Needham-Schroeder Protocol hello K B {N B } N 1,,, K B {N B } K A {N 1,, K AB, ticket B } where ticket B = K B {K AB,, N B } KDC ticket B, K AB {N 2 } K AB {N 2-1, N 3 } K AB {N 3-1} 23

Protocol Performance Comparison Computational Complexity: (to minimize CPU time, power consumption) Number of private-key operations public-key bytes encrypted with secret key bytes hashed Communication Complexity: Number of message rounds Bandwidth consumption 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback